A close-up of South Africa's regulatory approach to data governance, content moderation, competition, artificial intelligence, and more.
The “DPA Digital Digest” series provides concise summaries of each G20 nation’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.
South Africa, the G20 president for 2025, boasts a growing e-commerce sector: Sales grew to USD 4.06 billion in 2023, rising by 29% from the USD 3.15 billion in 2022, according to the International Trade Administration. Naspers projects other sectors of the digital economy to expand too, from ride-hailing (up to USD 350 million) to FinTech (up to USD 434 million). In the past five years, South Africa’s investment in digital infrastructure has grown, too, especially in telecommunication networks (approx USD 10.6 billion) and data centres (approx. USD 1.06 billion).
But what do South Africa’s domestic digital policies stand for? Our Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and South Africa-specific points of emphasis.
Data governance: South Africa has started enforcing its comprehensive privacy law, adopted the National Data and Cloud Policy, and is currently implementing the Cybercrime Act.
Content moderation: South Africa has developed its framework on harmful and prohibited online content, and is deliberating a framework for audio/-visual content services.
Competition policy: South Africa has introduced rules regarding killer acquisitions by digital providers and advanced its market inquiries on media and digital platforms, and online intermediation platforms.
Artificial intelligence: South Africa has published its National AI Policy Framework and participated in the African Union’s vision for a continental AI strategy.
South Africa’s points of emphasis include the taxation of the digital economy, cloud computing, electronic communications, and crypto assets.
Jump directly to the section that interests you most:
Discover the details of South Africa’s regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Tommaso Giardini, Nils Deeg and Tania Pierotic. Edited by Johannes Fritz.
Since July 2021, South Africa’s comprehensive privacy law, the Protection of Personal Information Act (POPIA), is fully implemented. Adopted in 2013, the POPIA applies to public and private “responsible parties” that process personal information (e.g. collect, receive or use data). The POPIA requires responsible parties to obtain consent for the processing of personal information, enabling justifications such as contractual performance, legal obligations and legitimate interests of the data subject. Data subjects can withdraw consent and have the right to access, correct and delete their data, among others. The Regulations Relating to the Protection of Personal Information outline procedures for responsible parties to comply with processing obligations and for data subjects to exercise their rights.
Since December 2021, the main provisions of the Cybercrimes Act are in force. The Act criminalises several cyber offences and establishes procedures for post-incident investigation and punishment. Codified cybercrimes include the unlawful interception of data, acquisition of passwords and access to data devices. The Act further criminalises the disclosure of “harmful” data messages, e.g. threats of violence. Several provisions of the Act are still to be implemented, including the obligation for “electronic communications service providers” and financial institutions to notify data breaches to authorities within 72 hours.
South Africa imposes sectoral data localisation obligations. The South African Revenue Service requires electronic tax records and accounting documents to be kept physically in South Africa, unless non-local storage is authorised. In March 2024, the National Data and Cloud Policy was adopted, requiring government data pertaining to protecting and preserving national security and sovereignty to be stored within South Africa. An earlier draft of the Policy proposed obligations to process and store critical infrastructure information in South Africa and stated that data generated in South Africa would be the property of South Africa, regardless of the company domicile.
The POPIA prohibits data transfers unless 1) the recipient is subject to an adequate level of data protection (by law or binding corporate rules), 2) the data subject consents to the data transfer, 3) the transfer is necessary for the performance of a contract, or 4) the transfer is for the benefit for the data subject. The POPIA does not cover standard contractual clauses.
The POPIA established the Information Regulator (IR) as an independent enforcement body with the power to issue secondary legislation. The IR has issued several guidelines, including on:
the processing of children’s personal information;
the authorisation procedure to process “special personal information”, such as religious beliefs and sexual orientation;
the application for information requiring prior authorisation, such as unique identifier or credit reporting data; and
the procedure to develop sectoral codes of conduct.
The IR has further approved two codes of conduct proposed by the Credit Bureau Association and the Banking Association of South Africa. It has consulted on further codes of conduct for direct marketing, and residential communities. Currently, the IR is deliberating draft rules of procedure for its Data Protection Enforcement Committee.
In terms of enforcement, the IR issues enforcement notices to entities interfering with data subject rights, requiring them to take certain steps or cease processing certain personal information. In the 2023/2024 financial year, the IR resolved 682 of 982 POPIA complaints, while in the 2022/2023 financial year, 616 of 895 complaints were resolved.
In September 2024, the IR reportedly issued an enforcement notice to Whatsapp in an investigation into its privacy policy. Specifically, the IR expressed concerns that WhatsApp’s privacy safeguards were stronger in the EU, despite the POPIA and the EU’s GDPR providing similar standards of protection.
In February 2024, the IR issued the first POPIA enforcement notice in relation to direct marketing to the training institution FR Ram Consulting, requiring the organisation to cease sending unsolicited direct marketing messages and obtain proper consent.
In September 2023, the IR issued an enforcement notice to Dis-Chem Pharmacies Ltd in relation to a major data breach, requiring the organisation to take measures such as impact assessments, incident response plans, and compliance frameworks.
Since March 2022, the amended Films and Publications Act regulates the online distribution of films, games and publications, including user-generated content on social media and video-sharing platforms. The Act prohibits the online distribution of specific content, including private sexual material, child pornography and war propaganda, among others, as detailed by the implementing regulation. Distributors, including “commercial online distributors”, must submit online content, including user-generated content, for classification. Distributors and internet service providers must also register.
The Film and Publications Board (FPB) is empowered to investigate complaints regarding unclassified or prohibited content and identify users and issue takedown notices.
In August 2022, the FPB issued revised classification guidelines specifying the criteria for content classification.
In October 2022, the FPB required internet service providers to provide details of minor protection measures.
In August 2023, the FPB consulted on several draft regulatory instruments, including an industry code on online harm prevention, and guidelines on peer-to-peer video sharing and determining harmfulness of online content.
In April 2024, in response to a legal challenge, the FPB withdrew a set of regulations which would have required internet service providers to take measures against election misinformation and disinformation.
The government continues to review potential options for reforming the online content framework. In July 2023, the White Paper on Audio and Audiovisual Media Services and Online Content Safety proposed the application of local content obligations to online services, the updating of codes of conduct, and the implementation of online safety measures. The 2020 White Paper on Audio and Audiovisual Content Services Policy Framework sets the blueprint for a policy framework regarding online audio and audiovisual content consumption. The framework would require broadcasting services, on-demand content services and video-sharing platform services to obtain a license to operate. The goal of the framework is to protect against content including war propaganda, incitement of violence, and hatred based on race, ethnicity, gender or religion.
There are no public, official sources on the South African government’s online content moderation enforcement actions.
The 1998 Competition Act established the Competition Commission and introduced rules regarding unilateral conduct and mergers. The Act was repeatedly amended, including in 2020 regarding price discrimination by dominant firms, and clarified by secondary legislation. The 2020 Buyer Power Regulations designate the e-commerce and online services sectors, among others, subjecting them to specific rules regarding “unfair” prices and trading conditions. The Regulations prohibit dominant firms from imposing unfair prices on suppliers, namely prices that are lower than the prices for other suppliers of like products or previous prices. In addition, the Regulations provide a provisional list of unfair trading conditions, e.g. risk transfers to suppliers.
Regarding mergers, since 2022, the Revised Guideline on Small Merger Notification empowers the Competition Commission to require notification of mergers and share acquisitions below the normal notification thresholds. The revision addressed the concern that transactions in digital markets circumvent regulatory scrutiny through early-stage acquisitions, conducted before the target generates sufficient turnover or assets to trigger mandatory notification.
South Africa’s Competition Commission regularly enforces competition rules in the digital economy. The Commission’s 2020 report on Competition in the Digital Economy outlines its enforcement approach and specifies issues relating to abuse of dominance, merger control, cartel conduct, and vertical restraints in digital markets. In February 2022, the Commission issued a joint statement with the competition authorities of Egypt, Kenya, Mauritius and Nigeria, committing to increase cooperation in addressing competition challenges in digital markets.
The Commission conducts market inquiries when a feature in a market restricts, impedes or distorts competition in that market.
In October 2023, the Commission fully launched a market inquiry into media and digital platforms (MDPMI). The MDPMI focuses on the distribution of news content on digital platforms and news aggregation services, specifically by search engines, social media platforms, news aggregators, video-sharing platforms and generative AI services. Furthermore, the Commission scrutinises South African news companies' dependency on digital platforms. The MDPMI provisional report is expected in November 2024.
In July 2023, the final report of the Commission’s market inquiry into online intermediation platforms (OIPMI) was published, including remedial actions against Google, Booking, Apple, and Uber Eats, among others. In August 2024, the Commission settled an appeal case regarding the remedial actions with Booking, which committed to removing narrow and wide price parity clauses. Launched in 2021, the inquiry focused on unilateral conduct and conglomeration, among others, by providers of online intermediation platform services, such as e-commerce and mobile application stores.
The Commission further engages in case-based enforcement of unilateral conduct rules. In February 2022, the Commission referred Meta to the Competition Tribunal for abuse of dominance relating to the WhatsApp Business Application Programming Interface (API). Allegedly, Meta imposed and selectively enforced exclusionary terms and conditions for firms to access the API, and blocked certain start-ups’ access.
The Commission is particularly active in relation to mergers.
In September 2024, the Commission approved Hewlett Packard’s acquisition of Juniper Networks, a merger relevant to the network infrastructure market.
In August 2023, the Commission recommended the blocking of the Vodafone/Maziv merger, which concerned the fibre infrastructure and mobile operator markets.
In August 2023, the Commission approved the Basileia/Porcupine Union merger, which is relevant to the IT consulting and insurance sectors.
In April 2023, the Commission approved the proposed Microsoft/Activision Blizzard acquisition since it was unlikely to result in a substantial prevention or lessening of competition. The investigation addressed whether Microsoft could restrict the distribution of Activision Blizzard games (“Call of Duty”) to its console or otherwise disadvantage competing console manufacturers. es mergers.
In 2020, the Commission approved the Google/Fitbit acquisition with several conditions, to prevent Google from excluding Fitbit’s competitors in the market for wrist-worn wearable devices, entrenching its dominance in the online advertising and search markets, and restricting access to collected health data. Google committed, for 10 years, not to reduce other wrist-worn wearable device manufacturers’ access to Android functionalities, to separate Google and Fitbit data and to allow third parties continued access to health data through the Fitbit Web API.
In August 2024, South Africa published the National AI Policy Framework. The Framework sets out a problem statement regarding the country’s AI development approach and names strategic pillars for AI policy, including talent development, infrastructure, innovation, public sector efficiency, ethical AI, privacy, security, transparency, and fairness. The Framework is intended as a foundation for developing future AI regulations in the country.
South Africa is also a member state of the African Union (AU) and participates in its continent-wide policy initiatives. In June 2024, the AU endorsed the African Continental AI Strategy which sets out a regulatory approach based around the five focus areas of harnessing AI benefits, addressing AI-related risks, accelerating member state infrastructure and research capabilities, fostering regional and international cooperation, and stimulating AI investment. The Strategy also proposes fifteen different action areas, including establishing AI governance systems, implementing ethical AI principles, and adopting technical standards on AI. The AU has also committed to cooperation with China on AI, pledging to increase policy dialogue, and promote research and industrial development.
There are no public, official sources on the South African government’s AI enforcement actions.
In July 2023, the government consulted on the White Paper on Audio and Audiovisual Media Services and Online Content Safety, which included a proposal to impose a 2% turnover tax on digital platforms.
Since 2020, South Africa’s National Treasury has mentioned the possibility of establishing a digital service tax in every annual Budget Review up to February 2023. The government has refrained from advancing specific proposals in view of international developments, specifically mentioning the OECD/G20 Inclusive Framework on BEPS in its Budget Reviews.
Since 2019, South Africa requires foreign suppliers to levy a value-added tax of 15% on a broad variety of electronic services. Namely, the tax applies to any service supplied by means of an electronic agent, electronic communication or the Internet. Electronic or digital content transmitted via telecommunications services is beyond the scope of the tax. The 2024 Budget Review proposes to limit the value-added tax to non-resident vendors who supply electronic services to non-vendors or end consumers while also requiring non-resident vendors to appoint a representative vendor, though they do not have to be resident in South Africa.
In May 2024, the government published the final National Data and Cloud Policy, which sets out a framework for utilising data through cloud technology. The Policy sets out data protection measures, including establishing an open data framework and reviewing South African data protection and security frameworks, as well as cybersecurity measures, including implementing robust security measures and strengthening the Cybersecurity Hub. In terms of data protection authority governance, the Policy calls for enhanced enforcement actions and the establishment of an Advisory Council. The Policy also calls on the Competition Commission to review the adequacy of competition rules in relation to the cloud and data market and identify potential anti-competitive trends in that market.
A number of changes were made from the previous draft, which suggested the establishment of a High-Performance Computing and Data Processing Centre, the development of a State Digital Infrastructure Company and the establishment of a single agency responsible for data matters.
The Electronic Communications Act of 2005 imposes a variety of regulatory requirements for providers of electronic communications, including a two-tiered licensing regime. Implemented in March 2023, the National Policy on Rapid Deployment of Electronic Communications Networks and Facilities establishes a process for licensees to access properties in order to deploy electronic communications networks and facilities. Also in March 2023, the Independent Communications Authority of South Africa amended the End-user and Subscriber Service Charter Regulation. The regulation sets minimum standards for electronic communications services provided to end-users, to ensure quality of service and safeguard user rights, which are expanded by the amendment to enable monitoring and enforcement regarding customer care.
In June 2023, the Department of Communications and Digital Technologies consulted on a draft Electronic Communications Amendment Bill, which would add “electronic communications facilities services” as a new licence category. The draft Bill also envisions additional powers for competition authorities in the electronic communications market. The draft White Paper on Audio and Audiovisual Media Services and Online Content Safety from July 2023 also included suggestions for updating the licensing frameworks for broadcasting services by introducing new categories, such as audio and audiovisual media services and on-demand content services.
In October 2022, a declaration by the Financial Sector Conduct Authority (FSCA) classified crypto assets as financial products under the Financial Advisory and Intermediary Act. Providers of crypto asset services must obtain authorisation as financial services providers from the FSCA. Crypto assets are defined as the digital representation of a value that could be transferred, traded or held electronically, that was not issued by a national central bank and that uses distributed ledger technology and cryptographic techniques. In August 2022, the South African Reserve Bank issued a guideline on risk management, illegal financing, and anti-money laundering standards for banks handling crypto assets. The guideline requires banks to decide case-by-case whether the business partners are safely handling crypto assets. In January 2023, the South African Advertising Regulatory Board expanded the Code of Advertising Practice regarding crypto assets. Crypto advertisements must state that investing in crypto assets may result in capital loss, be easily understandable and provide a balanced view regarding risks. Promoters of crypto assets cannot offer advice on crypto trading and promise returns.
The South African Reserve Bank (SARB) launched a feasibility study for a central bank digital currency (CBDC) in 2021, to investigate a CBDC’s use as electronic legal tender for general-purpose retail use, complementary to cash. South Africa’s Project Khokha, conducted in two phases until April 2022, analysed the potentials and risks of a wholesale central bank digital currency and wholesale digital settlement token. At the international level, until March 2022, SARB participated in Project Dunbar with the Bank for International Settlements and the central banks of Australia, Malaysia and Singapore. The project developed prototypes for platforms enabling international settlements using multiple central bank digital currencies.